New changes

Author: petergmurphy

manifests/setup/legacy_compiler_group.pp

@@ -10,15 +10,13 @@
 
   node_group { 'PE Legacy Compiler':
     ensure         => 'present',
-    parent         => 'PE Infrastructure',
+    parent         => 'PE Master',
     purge_behavior => 'rule',
     rule           => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
     classes        => {
-      'puppet_enterprise::profile::master' => {
-        'puppetdb_host'               => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
-        'puppetdb_port'               => [8081],
-        'replication_mode'            => 'none',
-        'code_manager_auto_configure' => true,
+      'puppet_enterprise::profile::master'   => {
+        'puppetdb_host' => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
+        'puppetdb_port' => [8081],
       },
     },
   }

plans/add_compilers.pp

@@ -16,6 +16,12 @@
   $compiler_targets          = peadm::get_targets($compiler_hosts)
   $primary_target            = peadm::get_targets($primary_host, 1)
 
+  # Check if PE Master rules have been updated to support pe_compiler_legacy
+  $rules_check = run_task('peadm::check_pe_master_rules', $primary_host).first.value
+  unless $rules_check['updated'] {
+    fail_plan('Please run the Convert plan to convert your Puppet infrastructure to be managed by this version of PEADM.')
+  }
+
   # Get current peadm config to determine where to setup additional rules for
   # compiler's secondary PuppetDB instances
   $peadm_config = run_task('peadm::get_peadm_config', $primary_target).first.value

plans/convert.pp

@@ -60,6 +60,48 @@
 
   out::message('# Gathering information')
 
+  $cert_extensions_temp = run_task('peadm::cert_data', $all_targets).reduce({}) |$memo,$result| {
+    $memo + { $result.target.peadm::certname() => $result['extensions'] }
+  }
+
+  # Add legacy compiler role to compilers that are missing it
+  $compilers_with_legacy_compiler_flag = $cert_extensions_temp.filter |$name,$exts| {
+    ($name in $compiler_targets.map |$t| { $t.name } or $name in $legacy_compiler_targets.map |$t| { $t.name }) and
+    ($exts[peadm::oid('peadm_legacy_compiler')] != undef)
+  }
+
+  if $compilers_with_legacy_compiler_flag.size > 0 {
+    $legacy_compilers_with_flag = $compilers_with_legacy_compiler_flag.filter |$name,$exts| {
+      $exts[peadm::oid('peadm_legacy_compiler')] == 'true'
+    }.keys
+
+    $modern_compilers_with_flag = $compilers_with_legacy_compiler_flag.filter |$name,$exts| {
+      $exts[peadm::oid('peadm_legacy_compiler')] == 'false'
+    }.keys
+
+    if $modern_compilers_with_flag.size > 0 {
+      run_plan('peadm::modify_certificate', $modern_compilers_with_flag,
+        primary_host   => $primary_target,
+        remove_extensions => [peadm::oid('peadm_legacy_compiler')],
+      )
+    }
+
+    if $legacy_compilers_with_flag.size > 0 {
+      run_plan('peadm::modify_certificate', $legacy_compilers_with_flag,
+        primary_host   => $primary_target,
+        add_extensions => {
+          'pp_auth_role' => 'pe_compiler_legacy',
+        },
+        remove_extensions => [peadm::oid('peadm_legacy_compiler'), peadm::oid('pp_auth_role')],
+      )
+    }
+
+    run_task('peadm::puppet_runonce', peadm::flatten_compact([
+          $compiler_targets,
+          $legacy_compiler_targets,
+    ]))
+  }
+
   # Get trusted fact information for all compilers. Use peadm::certname() as
   # the hash key because the apply block below will break trying to parse the
   # $compiler_extensions variable if it has Target-type hash keys.
@@ -318,6 +360,9 @@
       run_command('systemctl restart pe-puppetserver.service pe-puppetdb.service', $compiler_targets)
     }
 
+    # Update PE Master rules to support legacy compilers
+    run_task('peadm::update_pe_master_rules', $primary_target)
+
     # Run puppet on all targets again to ensure everything is fully up-to-date
     run_task('peadm::puppet_runonce', $all_targets)
   }
@@ -333,7 +378,5 @@
 # lint:endignore
   }
 
-  run_task('peadm::update_pe_master_rules', $primary_target)
-
   return("Conversion to peadm Puppet Enterprise ${arch['architecture']} completed.")
 }

plans/convert_compiler_to_legacy.pp

@@ -7,6 +7,12 @@
   $primary_target            = peadm::get_targets($primary_host, 1)
   $convert_legacy_compiler_targets   = peadm::get_targets($legacy_hosts)
 
+  # Check if PE Master rules have been updated to support pe_compiler_legacy
+  $rules_check = run_task('peadm::check_pe_master_rules', $primary_target).first.value
+  unless $rules_check['updated'] {
+    fail_plan('Please run the Convert plan to convert your Puppet infrastructure to be managed by this version of PEADM.')
+  }
+
   $cluster = run_task('peadm::get_peadm_config', $primary_host).first.value
   $error = getvar('cluster.error')
   if $error {

plans/install.pp

@@ -143,8 +143,6 @@
     final_agent_state                => $final_agent_state,
   )
 
-  run_task('peadm::update_pe_master_rules', $primary_host)
-
   # Return a string banner reporting on what was done
   return([$install_result, $configure_result])
 }

plans/subplans/configure.pp

@@ -174,5 +174,9 @@
         $legacy_compiler_targets,
   ]))
 
+  # Update PE Master rules to support legacy compilers
+  run_task('peadm::update_pe_master_rules', $primary_host)
+  run_task('peadm::puppet_runonce', $legacy_compiler_targets)
+
   return("Configuration of Puppet Enterprise ${arch['architecture']} succeeded.")
 }

plans/update_compiler_extensions.pp

@@ -146,41 +146,12 @@
     ($exts[peadm::oid('peadm_legacy_compiler')] != undef)
   }
 
-  run_task('peadm::update_pe_master_rules', $primary_target)
-
   if $compilers_with_legacy_compiler_flag.size > 0 {
-    $legacy_compilers = $compilers_with_legacy_compiler_flag.filter |$name,$exts| {
-      $exts[peadm::oid('peadm_legacy_compiler')] == 'true'
-    }.keys
-
-    $modern_compilers = $compilers_with_legacy_compiler_flag.filter |$name,$exts| {
-      $exts[peadm::oid('peadm_legacy_compiler')] == 'false'
-    }.keys
-
-    if $modern_compilers.size > 0 {
-      out::message('MODERN COMPILERS: Beginning removal of legacy compiler flag')
-      out::message($modern_compilers)
-      run_plan('peadm::modify_certificate', $modern_compilers,
-        primary_host   => $primary_target,
-        remove_extensions => [peadm::oid('peadm_legacy_compiler')],
-      )
-      out::message('MODERN COMPILERS: Removed legacy compiler flag')
-    }
-
-    if $legacy_compilers.size > 0 {
-      out::message('LEGACY COMPILERS: Beginning addition of legacy compiler role and removal of legacy compiler flag')
-      out::message($legacy_compilers)
-      run_plan('peadm::modify_certificate', $legacy_compilers,
-        primary_host   => $primary_target,
-        add_extensions => {
-          'pp_auth_role' => 'pe_compiler_legacy',
-        },
-        remove_extensions => [peadm::oid('peadm_legacy_compiler'), peadm::oid('pp_auth_role')],
-      )
-      out::message('LEGACY COMPILERS: Added legacy compiler role and removed legacy compiler flag')
-    }
+    fail_plan('Please run the Convert plan to convert your Puppet infrastructure to be managed by this version of PEADM.')
   }
 
+  run_task('peadm::update_pe_master_rules', $primary_target)
+
   # Gather certificate extension information from all systems
   $cert_extensions = run_task('peadm::cert_data', $all_targets).reduce({}) |$memo,$result| {
     $memo + { $result.target.peadm::certname => $result['extensions'] }

plans/upgrade.pp

@@ -0,0 +1,24 @@
+{
+  "description": "Checks if the PE Master group rules have already been updated to support 'pe_compiler_legacy' as a pp_auth_role",
+  "input_method": "stdin",
+  "private": true,
+  "implementations": [
+    {"name": "check_pe_master_rules.rb"}
+  ],
+  "parameters": {},
+  "supports_noop": false,
+  "output": {
+    "updated": {
+      "description": "Whether the PE Master rules have already been updated",
+      "type": "Boolean"
+    },
+    "message": {
+      "description": "A message describing the current state of the PE Master rules",
+      "type": "String"
+    },
+    "error": {
+      "description": "Error message if the task failed",
+      "type": "Optional[String]"
+    }
+  }
+} 

tasks/check_pe_master_rules.json

@@ -0,0 +1,125 @@
+#!/opt/puppetlabs/puppet/bin/ruby
+# frozen_string_literal: true
+
+require 'json'
+require 'net/https'
+require 'puppet'
+
+# CheckPeMasterRules task class
+class CheckPeMasterRules
+  def initialize(params)
+    @params = params
+  end
+
+  def https_client
+    client = Net::HTTP.new(Puppet.settings[:certname], 4433)
+    client.use_ssl = true
+    client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
+    client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
+    client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    client.ca_file = Puppet.settings[:localcacert]
+    client
+  end
+
+  def get_pe_master_group_id
+    net = https_client
+    res = net.get('/classifier-api/v1/groups')
+
+    unless res.code == '200'
+      raise "Failed to fetch groups: HTTP #{res.code} - #{res.body}"
+    end
+
+    groups = JSON.parse(res.body)
+    pe_master_group = groups.find { |group| group['name'] == 'PE Master' }
+
+    raise 'Could not find PE Master group' unless pe_master_group
+    pe_master_group['id']
+  rescue JSON::ParserError => e
+    raise "Invalid JSON response from server: #{e.message}"
+  rescue StandardError => e
+    raise "Error fetching PE Master group ID: #{e.message}"
+  end
+
+  def get_current_rules(group_id)
+    net = https_client
+    url = "/classifier-api/v1/groups/#{group_id}/rules"
+    req = Net::HTTP::Get.new(url)
+    res = net.request(req)
+
+    unless res.code == '200'
+      raise "Failed to fetch rules: HTTP #{res.code} - #{res.body}"
+    end
+
+    JSON.parse(res.body)['rule']
+  rescue JSON::ParserError => e
+    raise "Invalid JSON response from server: #{e.message}"
+  rescue StandardError => e
+    raise "Error fetching rules: #{e.message}"
+  end
+
+  def check_rules_updated(rules)
+    # If not an array, return false
+    return false unless rules.is_a?(Array)
+
+    # Check if this is an 'and' rule with at least 2 elements
+    if rules[0] == 'and' && rules.length > 1
+      # Check if the first element is an 'or' rule for pe_compiler and pe_compiler_legacy
+      if rules[1].is_a?(Array) && rules[1][0] == 'or'
+        # Look for the pe_compiler and pe_compiler_legacy rules
+        pe_compiler_found = false
+        pe_compiler_legacy_found = false
+
+        rules[1][1..-1].each do |rule|
+          if rule.is_a?(Array) && 
+             rule[0] == '=' && 
+             rule[1].is_a?(Array) && 
+             rule[1] == ['trusted', 'extensions', 'pp_auth_role']
+            
+            pe_compiler_found = true if rule[2] == 'pe_compiler'
+            pe_compiler_legacy_found = true if rule[2] == 'pe_compiler_legacy'
+          end
+        end
+
+        return pe_compiler_found && pe_compiler_legacy_found
+      end
+    end
+
+    # Check if the rule is already using a regex match
+    if rules[0] == '~' && 
+       rules[1].is_a?(Array) && 
+       rules[1] == ['trusted', 'extensions', 'pp_auth_role'] && 
+       rules[2] == '^pe_compiler.*$'
+      return true
+    end
+
+    false
+  end
+
+  def execute!
+    begin
+      group_id = get_pe_master_group_id
+      current_rules = get_current_rules(group_id)
+      
+      is_updated = check_rules_updated(current_rules)
+      
+      result = {
+        'updated' => is_updated,
+        'message' => is_updated ? 
+          'PE Master rules have already been updated with pe_compiler_legacy support' : 
+          'PE Master rules need to be updated to support pe_compiler_legacy'
+      }
+      
+      puts result.to_json
+    rescue StandardError => e
+      puts({ 'error' => e.message, 'updated' => false }.to_json)
+      exit 1
+    end
+  end
+end
+
+# Run the task unless an environment flag has been set
+unless ENV['RSPEC_UNIT_TEST_MODE']
+  Puppet.initialize_settings
+  task = CheckPeMasterRules.new(JSON.parse(STDIN.read))
+  task.execute!
+end